1 files changed, 65 insertions, 51 deletions
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index a09e077ba925..2a930a752a78 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -236,10 +236,7 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
 {
        __u16 mid = 0;
        __u16 last_mid;
-        int   collision;
+        bool collision;
-        if (server == NULL)
-                return mid;
        spin_lock(&GlobalMid_Lock);
        last_mid = server->CurrentMid; /* we do not want to loop forever */
@@ -252,24 +249,38 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
        (and it would also have to have been a request that
         did not time out) */
        while (server->CurrentMid != last_mid) {
-                struct list_head *tmp;
                struct mid_q_entry *mid_entry;
+                unsigned int num_mids;
-                collision = 0;
+                collision = false;
                if (server->CurrentMid == 0)
                        server->CurrentMid++;
-                list_for_each(tmp, &server->pending_mid_q) {
+                num_mids = 0;
-                        mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+                list_for_each_entry(mid_entry, &server->pending_mid_q, qhead) {
+                        ++num_mids;
-                        if ((mid_entry->mid == server->CurrentMid) &&
+                        if (mid_entry->mid == server->CurrentMid &&
-                            (mid_entry->midState == MID_REQUEST_SUBMITTED)) {
+                            mid_entry->midState == MID_REQUEST_SUBMITTED) {
                                /* This mid is in use, try a different one */
-                                collision = 1;
+                                collision = true;
                                break;
                        }
                }
-                if (collision == 0) {
+                /*
+                 * if we have more than 32k mids in the list, then something
+                 * is very wrong. Possibly a local user is trying to DoS the
+                 * box by issuing long-running calls and SIGKILL'ing them. If
+                 * we get to 2^16 mids then we're in big trouble as this
+                 * function could loop forever.
+                 *
+                 * Go ahead and assign out the mid in this situation, but force
+                 * an eventual reconnect to clean out the pending_mid_q.
+                 */
+                if (num_mids > 32768)
+                        server->tcpStatus = CifsNeedReconnect;
+                if (!collision) {
                        mid = server->CurrentMid;
                        break;
                }
@@ -381,29 +392,31 @@ header_assemble(struct smb_hdr *buffer, char smb_command /* command */ ,
 }
 static int
-checkSMBhdr(struct smb_hdr *smb, __u16 mid)
+check_smb_hdr(struct smb_hdr *smb, __u16 mid)
 {
-        /* Make sure that this really is an SMB, that it is a response,
+        /* does it have the right SMB "signature" ? */
-           and that the message ids match */
+        if (*(__le32 *) smb->Protocol != cpu_to_le32(0x424d53ff)) {
-        if ((*(__le32 *) smb->Protocol == cpu_to_le32(0x424d53ff)) &&
+                cERROR(1, "Bad protocol string signature header 0x%x",
-                (mid == smb->Mid)) {
+                        *(unsigned int *)smb->Protocol);
-                if (smb->Flags & SMBFLG_RESPONSE)
+                return 1;
-                        return 0;
+        }
-                else {
-                /* only one valid case where server sends us request */
+        /* Make sure that message ids match */
-                        if (smb->Command == SMB_COM_LOCKING_ANDX)
+        if (mid != smb->Mid) {
-                                return 0;
+                cERROR(1, "Mids do not match. received=%u expected=%u",
-                        else
+                        smb->Mid, mid);
-                                cERROR(1, "Received Request not response");
+                return 1;
-                }
-        } else { /* bad signature or mid */
-                if (*(__le32 *) smb->Protocol != cpu_to_le32(0x424d53ff))
-                        cERROR(1, "Bad protocol string signature header %x",
-                                *(unsigned int *) smb->Protocol);
-                if (mid != smb->Mid)
-                        cERROR(1, "Mids do not match");
        }
-        cERROR(1, "bad smb detected. The Mid=%d", smb->Mid);
+        /* if it's a response then accept */
+        if (smb->Flags & SMBFLG_RESPONSE)
+                return 0;
+        /* only one valid case where server sends us request */
+        if (smb->Command == SMB_COM_LOCKING_ANDX)
+                return 0;
+        cERROR(1, "Server sent request, not response. mid=%u", smb->Mid);
        return 1;
 }
@@ -448,7 +461,7 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
                return 1;
        }
-        if (checkSMBhdr(smb, mid))
+        if (check_smb_hdr(smb, mid))
                return 1;
        clc_len = smbCalcSize_LE(smb);
@@ -465,25 +478,26 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
                        if (((4 + len) & 0xFFFF) == (clc_len & 0xFFFF))
                                return 0; /* bcc wrapped */
                }
-                cFYI(1, "Calculated size %d vs length %d mismatch for mid %d",
+                cFYI(1, "Calculated size %u vs length %u mismatch for mid=%u",
                                clc_len, 4 + len, smb->Mid);
-                /* Windows XP can return a few bytes too much, presumably
-                an illegal pad, at the end of byte range lock responses
+                if (4 + len < clc_len) {
-                so we allow for that three byte pad, as long as actual
+                        cERROR(1, "RFC1001 size %u smaller than SMB for mid=%u",
-                received length is as long or longer than calculated length */
-                /* We have now had to extend this more, since there is a
-                case in which it needs to be bigger still to handle a
-                malformed response to transact2 findfirst from WinXP when
-                access denied is returned and thus bcc and wct are zero
-                but server says length is 0x21 bytes too long as if the server
-                forget to reset the smb rfc1001 length when it reset the
-                wct and bcc to minimum size and drop the t2 parms and data */
-                if ((4+len > clc_len) && (len <= clc_len + 512))
-                        return 0;
-                else {
-                        cERROR(1, "RFC1001 size %d bigger than SMB for Mid=%d",
                                        len, smb->Mid);
                        return 1;
+                } else if (len > clc_len + 512) {
+                        /*
+                         * Some servers (Windows XP in particular) send more
+                         * data than the lengths in the SMB packet would
+                         * indicate on certain calls (byte range locks and
+                         * trans2 find first calls in particular). While the
+                         * client can handle such a frame by ignoring the
+                         * trailing data, we choose limit the amount of extra
+                         * data to 512 bytes.
+                         */
+                        cERROR(1, "RFC1001 size %u more than 512 bytes larger "
+                                  "than SMB for mid=%u", len, smb->Mid);
+                        return 1;
                }
        }
        return 0;

diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index a09e077ba925..2a930a752a78 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c
@@ -236,10 +236,7 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
236	{	236	{
237	__u16 mid = 0;	237	__u16 mid = 0;
238	__u16 last_mid;	238	__u16 last_mid;
239	int collision;	239	bool collision;
240
241	if (server == NULL)
242	return mid;
243		240
244	spin_lock(&GlobalMid_Lock);	241	spin_lock(&GlobalMid_Lock);
245	last_mid = server->CurrentMid; /* we do not want to loop forever */	242	last_mid = server->CurrentMid; /* we do not want to loop forever */
@@ -252,24 +249,38 @@ __u16 GetNextMid(struct TCP_Server_Info *server)
252	(and it would also have to have been a request that	249	(and it would also have to have been a request that
253	did not time out) */	250	did not time out) */
254	while (server->CurrentMid != last_mid) {	251	while (server->CurrentMid != last_mid) {
255	struct list_head *tmp;
256	struct mid_q_entry *mid_entry;	252	struct mid_q_entry *mid_entry;
		253	unsigned int num_mids;
257		254
258	collision = 0;	255	collision = false;
259	if (server->CurrentMid == 0)	256	if (server->CurrentMid == 0)
260	server->CurrentMid++;	257	server->CurrentMid++;
261		258
262	list_for_each(tmp, &server->pending_mid_q) {	259	num_mids = 0;
263	mid_entry = list_entry(tmp, struct mid_q_entry, qhead);	260	list_for_each_entry(mid_entry, &server->pending_mid_q, qhead) {
264		261	++num_mids;
265	if ((mid_entry->mid == server->CurrentMid) &&	262	if (mid_entry->mid == server->CurrentMid &&
266	(mid_entry->midState == MID_REQUEST_SUBMITTED)) {	263	mid_entry->midState == MID_REQUEST_SUBMITTED) {
267	/* This mid is in use, try a different one */	264	/* This mid is in use, try a different one */
268	collision = 1;	265	collision = true;
269	break;	266	break;
270	}	267	}
271	}	268	}
272	if (collision == 0) {	269
		270	/*
		271	* if we have more than 32k mids in the list, then something
		272	* is very wrong. Possibly a local user is trying to DoS the
		273	* box by issuing long-running calls and SIGKILL'ing them. If
		274	* we get to 2^16 mids then we're in big trouble as this
		275	* function could loop forever.
		276	*
		277	* Go ahead and assign out the mid in this situation, but force
		278	* an eventual reconnect to clean out the pending_mid_q.
		279	*/
		280	if (num_mids > 32768)
		281	server->tcpStatus = CifsNeedReconnect;
		282
		283	if (!collision) {
273	mid = server->CurrentMid;	284	mid = server->CurrentMid;
274	break;	285	break;
275	}	286	}
@@ -381,29 +392,31 @@ header_assemble(struct smb_hdr buffer, char smb_command / command */ ,
381	}	392	}
382		393
383	static int	394	static int
384	checkSMBhdr(struct smb_hdr *smb, __u16 mid)	395	check_smb_hdr(struct smb_hdr *smb, __u16 mid)
385	{	396	{
386	/* Make sure that this really is an SMB, that it is a response,	397	/* does it have the right SMB "signature" ? */
387	and that the message ids match */	398	if ((__le32 ) smb->Protocol != cpu_to_le32(0x424d53ff)) {
388	if (((__le32 ) smb->Protocol == cpu_to_le32(0x424d53ff)) &&	399	cERROR(1, "Bad protocol string signature header 0x%x",
389	(mid == smb->Mid)) {	400	(unsigned int )smb->Protocol);
390	if (smb->Flags & SMBFLG_RESPONSE)	401	return 1;
391	return 0;	402	}
392	else {	403
393	/* only one valid case where server sends us request */	404	/* Make sure that message ids match */
394	if (smb->Command == SMB_COM_LOCKING_ANDX)	405	if (mid != smb->Mid) {
395	return 0;	406	cERROR(1, "Mids do not match. received=%u expected=%u",
396	else	407	smb->Mid, mid);
397	cERROR(1, "Received Request not response");	408	return 1;
398	}
399	} else { /* bad signature or mid */
400	if ((__le32 ) smb->Protocol != cpu_to_le32(0x424d53ff))
401	cERROR(1, "Bad protocol string signature header %x",
402	(unsigned int ) smb->Protocol);
403	if (mid != smb->Mid)
404	cERROR(1, "Mids do not match");
405	}	409	}
406	cERROR(1, "bad smb detected. The Mid=%d", smb->Mid);	410
		411	/* if it's a response then accept */
		412	if (smb->Flags & SMBFLG_RESPONSE)
		413	return 0;
		414
		415	/* only one valid case where server sends us request */
		416	if (smb->Command == SMB_COM_LOCKING_ANDX)
		417	return 0;
		418
		419	cERROR(1, "Server sent request, not response. mid=%u", smb->Mid);
407	return 1;	420	return 1;
408	}	421	}
409		422
@@ -448,7 +461,7 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
448	return 1;	461	return 1;
449	}	462	}
450		463
451	if (checkSMBhdr(smb, mid))	464	if (check_smb_hdr(smb, mid))
452	return 1;	465	return 1;
453	clc_len = smbCalcSize_LE(smb);	466	clc_len = smbCalcSize_LE(smb);
454		467
@@ -465,25 +478,26 @@ checkSMB(struct smb_hdr *smb, __u16 mid, unsigned int length)
465	if (((4 + len) & 0xFFFF) == (clc_len & 0xFFFF))	478	if (((4 + len) & 0xFFFF) == (clc_len & 0xFFFF))
466	return 0; /* bcc wrapped */	479	return 0; /* bcc wrapped */
467	}	480	}
468	cFYI(1, "Calculated size %d vs length %d mismatch for mid %d",	481	cFYI(1, "Calculated size %u vs length %u mismatch for mid=%u",
469	clc_len, 4 + len, smb->Mid);	482	clc_len, 4 + len, smb->Mid);
470	/* Windows XP can return a few bytes too much, presumably	483
471	an illegal pad, at the end of byte range lock responses	484	if (4 + len < clc_len) {
472	so we allow for that three byte pad, as long as actual	485	cERROR(1, "RFC1001 size %u smaller than SMB for mid=%u",
473	received length is as long or longer than calculated length */
474	/* We have now had to extend this more, since there is a
475	case in which it needs to be bigger still to handle a
476	malformed response to transact2 findfirst from WinXP when
477	access denied is returned and thus bcc and wct are zero
478	but server says length is 0x21 bytes too long as if the server
479	forget to reset the smb rfc1001 length when it reset the
480	wct and bcc to minimum size and drop the t2 parms and data */
481	if ((4+len > clc_len) && (len <= clc_len + 512))
482	return 0;
483	else {
484	cERROR(1, "RFC1001 size %d bigger than SMB for Mid=%d",
485	len, smb->Mid);	486	len, smb->Mid);
486	return 1;	487	return 1;
		488	} else if (len > clc_len + 512) {
		489	/*
		490	* Some servers (Windows XP in particular) send more
		491	* data than the lengths in the SMB packet would
		492	* indicate on certain calls (byte range locks and
		493	* trans2 find first calls in particular). While the
		494	* client can handle such a frame by ignoring the
		495	* trailing data, we choose limit the amount of extra
		496	* data to 512 bytes.
		497	*/
		498	cERROR(1, "RFC1001 size %u more than 512 bytes larger "
		499	"than SMB for mid=%u", len, smb->Mid);
		500	return 1;
487	}	501	}
488	}	502	}
489	return 0;	503	return 0;